About Bot Management
Fastly's Bot Management allows you to identify bots and decrease unwanted bot activity on your web applications. You can deploy Bot Management on your Fastly services using one or both of the following deployment options:
- Pre-cache inspection: Bot Management inspects all requests before they reach your cache layer, allowing you to control bot access to both cached and uncached resources. This deployment option enables ContentGuard.
- Post-cache inspection: Bot Management works alongside the Next-Gen WAF to analyze cache-miss requests, protecting your origin from bot attacks. This means that Bot Management will only inspect traffic going to your origin.
Prerequisites
Before enabling Bot Management for your services, you need to:
review the Bot Management limitations.
purchase the required products for your Bot Management deployment option. Pre-cache inspection requires Bot Management. Post-cache inspection requires Bot Management and Next-Gen WAF (Edge WAF deployment only).
IMPORTANT: The Essential platform for the Next-Gen WAF does not support Bot Management.
Choosing a deployment option
The deployment option you choose determines which Bot Management features are available. Pre-cache inspection features work on all traffic before caching, while post-cache inspection features integrate with the Next-Gen WAF for detection on origin-bound traffic. For comprehensive protection, you can use both deployment options.
| Bot Management feature | Pre-cache inspection | Post-cache inspection | Description |
|---|---|---|---|
| Advanced client-side detections | ❌ | ✅ | Detect bots that leverage headless browsers such as headless Chrome. |
| AI bot detection | ✅ | ✅ | Detect AI crawlers and fetchers. |
| Client challenges | ❌ | ✅ | Require users to prove that they are human or that a connection is happening through a legitimate browser. |
| Client fingerprinting | ✅ | ✅ | Identify client types and detect bots designed for malicious activities. |
| Private Access Tokens | ❌ | ✅ | Protect access resources on your origin. |
| Server-side detection | ✅ | ✅ | Detect bots by analyzing server-side attributes, including HTTP header anomalies and User-Agent spoofing. |
| Verified Bots | ✅ | ✅ | Validate self-identified bots. |
Deploying Bot Management
Once all prerequisites have been met, you can use the Fastly control panel or API to deploy Bot Management on your Fastly services.
- Control panel
- API
To deploy Bot Management on a service using the Fastly control panel, follow these steps:
- Log in to the Fastly control panel.
- From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
- Click Service configuration.
- In the Security area, click the Bot Management switch to the On position.
- For pre-cache inspection only, click the ContentGuard switch to the On position.
You can then optionally configure client challenges, advanced client-side detections, and ContentGuard for those services. Note that the other Bot Management features require no additional setup.
Monitoring bot traffic
Once you've deployed Bot Management, you can use the following dashboards to monitor bot traffic targeting your web applications:
- Bot overview: dashboard that displays pre-cache inspection metrics about the volume and types of bot traffic directed at your service.
- Bot Management: dashboard that displays post-cache inspection metrics about suspected bot activity and bot-related signals detected by the Next-Gen WAF.
